Magento Community Edition 1.9.2

We are pleased to bring to you Magento Community Edition, 1.9.2, which provides merchants with many enhancements that make it easier to build and maintain a high quality and secure site.

Important! Use Magento Community 1.9.2 or later for all new installations and upgrades to ensure that you get the latest fixes, features, and security updates.

Solutions for Developers

Magento Community Edition 1.9.2 includes the latest versions of the Zend 1 Framework and Redis integration, as well as refinements to full-page caching that enable more pages to be served from cache. In addition, this release includes many enhancements as part of our commitment to continually improve product quality and to integrate previous patches into the core code.

This release of Magento Community Edition 1.9.2 includes an automated testing framework with nearly 170 automated functional tests. Developers can use the Magento Test Framework (MTF) to improve the quality and time to market of implementations, and to perform basic acceptance testing of extensions, customizations, and upgrades. To learn more, see: Magento Test Framework.

Translations are available separately on the Support and Partner portals.

On May 31, 2015, USPS made changes to their API that impact international shipping rate requests to and from Canada. As a result, some Canadian shipping rates are returned incorrectly, and customers are unable to see all available shipping options. The USPS API patch ensures that Canadian international shipping rates are returned correctly, and that customers can see all available shipping options during checkout. To learn more, see: USPS API Update – What You Need to Know by WebShopApps, a Magento Partner.

Cross-site request forgery in Magento Connect Manager allows an attacker to execute actions such as the installation of a remote module that leads to the execution of remote code. The attack requires a Magento store administrator, while logged in to Magento Connect Manager, to click a link that was prepared by the attacker.

Directly accessing the URL of files that are related to Magento Connect produces an exception that includes the server path. The exception is generated regardless of the configuration settings that control the display of exceptions.There is a low risk of attackers gaining a sufficient understanding of the site structure to target an attack.

The vulnerability allows an attacker to include an unescaped customer name in the New Orders RSS feed. By manipulating the customer name, an attacker can inject incorrect or malicious data into the feed, and expose the store to risk.

Product(s) Affected:

Magento CE prior to 1.9.2.0, and all versions of EE.

Fixed In:

CE 1.9.2.0

Reporter:

Bastian Ike

SUPEE-5994 Patch Bundle

This bundle includes protection against the following security-related issues:

Enables an attacker to obtain address information (name, address, phone) from the address books of other store customers.

During the checkout process, the attacker can gain access to an arbitrary address book by entering a sequential ID. No payment information is returned. The only requirement for the attacker is to create an account in store, put any product into the cart, and start the checkout process.

This attack can be fully automated, and a functional proof of concept exists.

The attacker just create an account with the store. While viewing own recurring profile, the attacker can request an arbitrary recurring profile using a sequential ID. The information is then returned to the attacker.

This attack can be fully automated, and a manual proof of concept exists.

This issue enables an attacker to execute JavaScript code within the context of a Magento Connect Manager session. If the administrator clicks a malicious link, the session can be stolen, and malicious extensions installed.

Attacker can provide input that executes a formula when exported and opened in a spreadsheet such as Microsoft Excel. The formula can modify data, export personal data to another site, or cause remote code execution. The spreadsheet usually displays a warning message, which the user must dismiss for the attack to succeed.

Enables an attacker to execute JavaScript in the context of a customer session. If a customer clicks a malicious link, the attacker can steal cookies and hijack the session, which can expose personal information and compromise checkout.

Attacker can publish a malicious extension package. When the package is installed by a customer, it can overwrite files on the server. The attacker must first publish a package, and then entice a customer to install it. The package might contain a malicious load, as well.

Product(s) Affected:

Magento CE prior to 1.9.2.0, and all versions of EE.

Fixed In:

CE 1.9.2.0

Reporter:

iSec Partners (external audit)

SUPEE-5344 Patch

Magento Community Edition 1.9.2 provides protection against a specific remote code execution (RCE) vulnerability known as the “shoplift bug,” that allows hackers to obtain Admin access to a store.

Patch Details

Type:

Remote Code Execution

CVSS Severity:

9.1 (Critical)

Known Attacks:

Yes

Description:

Authentication bypass uses special parameter that allows the execution of Admin action. The Admin action is vulnerable to SQL injection, which allows code to be inserted into the database and executed. As a result, the store can be fully compromised by creating counterfeit administrator accounts and/or installing malware on the server.

Product(s) Affected:

Magento CE prior to 1.9.1.1, and Magento EE prior to 1.14.2.0.

Fixed In:

CE 1.9.1.1

Reporter:

Netanel Rubin

Additional Security Enhancements

Access Control List (ACL) nodes without value are now set to DENY access by default.

The dates that customers and customer addresses were created are now correct.This fix does not apply to customers or addresses created in earlier versions. Only customers and addresses created with Magento Community ver. 1.9.2 show the correct dates.

Database

Deleting large numbers of products from the Admin no longer returns SQLSTATE errors.